OpenSSH with Mac Keychain

Chao-Chin Yang ccyang at
Wed Feb 7 07:04:04 UTC 2018

Dear Rainer,

Thanks for the response.

I can attest that openssh+gsskex does not support keychain, because my port installation is openssh @7.6p1_2+gsskex+kerberos5+xauth.

This puts me in a dilemma.  I need for one particular remote system the gsskex support, which was removed by Apple quite some time ago.  That was why I started using macports’ version in the first place.

I guess the only thing I can do is to make a special alias for that remote system using the macports’ openssh, and use Apple’s version for all others.  This is annoying that Apple is customizing its own ssh…


> On Feb 5, 2018, at 6:55 AM, Rainer Müller <raimue at> wrote:
> On 2018-01-31 21:28, Chao-Chin Yang wrote:
>> I can continue to log into the remote system without entering again the
>> passphrase.  However, once I completely log out of my Mac and re-log
>> into my Mac, the terminal does not remember my passphrase anymore.
> As of macOS 10.12 Sierra, this is the intended behavior:
>> After googling around, it seems that the Mac native SSH has added a new
>> SSH keyword “UseKeychain”, while the MacPorts version does not have this
>> keyword and is having problem talking to Keychain.  I cannot find any
>> solution to this.
>> Does anyone know any solution or is working on one?
> Unfortunately, the keychain support is a custom patch by Apple that is
> not in the upstream sources. The patch will only be applied when
> installing it with the +gsskex variant, however, I have not tested it
> myself.
> Personally, I usually use /usr/bin/ssh because of the keychain
> integration, but I have the following lines in my ~/.ssh/config that
> stop /opt/local/bin/ssh from choking on the unknown options:
>  IgnoreUnknown AddKeysToAgent,UseKeychain
>  AddKeysToAgent yes
>  UseKeychain yes
> Hope that helps,
> Rainer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the macports-users mailing list